Code-Projects Simple Food Ordering System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Simple Food Ordering System version 1.0, specifically within the addcategory.php file. This issue arises from inadequate input sanitization of the cname argument, allowing attackers to inject malicious scripts that are permanently stored and executed in the context of users who access the affected page. The vulnerability can be exploited remotely without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for the injection of persistent malicious JavaScript that executes automatically in the browsers of users who view the compromised content. This could lead to session hijacking, account takeover, data theft, and unauthorized actions performed on behalf of the affected user.

Reproduction

To reproduce this vulnerability, navigate to the addcategory.php page and locate the input field for the cname argument. Submit a script payload, such as a simple alert script, which will be stored and executed when the page is accessed by other users.

Remediation

It is recommended to implement proper input validation and output encoding, particularly in the addcategory.php file. Additionally, a Content Security Policy (CSP) should be established to mitigate the impact of potential XSS attacks.